Skip to content

Secrets Manager

IBM Cloud Secret Manager

External Secrets Operator integrates with IBM Secret Manager for secret management.

Authentication

At the moment, we only support API key authentication for this provider. To generate your key (for test purposes we are going to generate from your user), first got to your (Access IAM) page:

iam

On the left, click "IBM Cloud API Keys":

iam-left

Press "Create an IBM Cloud API Key":

iam-create-button

Pick a name and description for your key:

iam-create-key

You have created a key. Press the eyeball to show the key. Copy or save it because keys can't be displayed or downloaded twice.

iam-create-success

API key secret

Create a secret containing your apiKey:

kubectl create secret generic ibm-secret --from-literal=apiKey='API_KEY_VALUE'

Update secret store

Be sure the ibm provider is listed in the Kind=SecretStore

apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
  name: secretstore-sample
spec:
  provider:
    ibm:
      serviceUrl: "https://SECRETS_MANAGER_ID.REGION.secrets-manager.appdomain.cloud"
      auth:
        secretRef:
          secretApiKeySecretRef:
            name: ibm-secret
            key: apiKey

To find your serviceURL, under your Secrets Manager resource, go to "Endpoints" on the left. Note: Use the url without the /api suffix that is presented in the UI. See here for a list of publicly available endpoints.

iam-create-success

Secret Types

We support all secret types of IBM Secrets Manager: arbitrary, username_password, iam_credentials and imported_cert. To define the type of secret you would like to sync you need to prefix the secret id with the desired type. If the secret type is not specified it is defaulted to arbitrary:

apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: ibm-sample
spec:
  # [...]
  data:
  - secretKey: test
    remoteRef:
      # defaults to type=arbitrary
      key: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  - secretKey: foo
    remoteRef:
      key: username_password/yyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy
  - secretKey: bar
    remoteRef:
      key: iam_credentials/zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
  - secretKey: baz
    remoteRef:
      key: imported_cert/zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz

The behavior for the different secret types is as following:

arbitrary

  • remoteRef retrieves a string from secrets manager and sets it for specified secretKey
  • dataFrom retrieves a string from secrets manager and tries to parse it as JSON object setting the key:values pairs in resulting Kubernetes secret if successful

username_password

  • remoteRef requires a property to be set for either username or password to retrieve respective fields from the secrets manager secret and set in specified secretKey
  • dataFrom retrieves both username and password fields from the secrets manager secret and sets appropriate key:value pairs in the resulting Kubernetes secret

iam_credentials

  • remoteRef retrieves an apikey from secrets manager and sets it for specified secretKey
  • dataFrom retrieves an apikey from secrets manager and sets it for the apikey Kubernetes secret key

imported_cert

  • remoteRef requires a property to be set for either certificate, private_key or intermediate to retrieve respective fields from the secrets manager secret and set in specified secretKey
  • dataFrom retrieves all certificate, private_key and intermediate fields from the secrets manager secret and sets appropriate key:value pairs in the resulting Kubernetes secret

Creating external secret

To create a kubernetes secret from the IBM Secrets Manager, a Kind=ExternalSecret is needed.

apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: external-secret-sample
spec:
  refreshInterval: 1m
  secretStoreRef:
    name: secretstore-sample
    kind: SecretStore
  target:
    name: secret-to-be-created
    creationPolicy: Owner
  data:
  - secretKey: test
    remoteRef:
      key: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Currently we can only get the secret by its id and not its name, so something like 565287ce-578f-8d96-a746-9409d531fe2a.

Getting the Kubernetes secret

The operator will fetch the IBM Secret Manager secret and inject it as a Kind=Secret

kubectl get secret secret-to-be-created -n <namespace> | -o jsonpath='{.data.test}' | base64 -d